Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN448
_____________________________________________________________________

DATE                : 30/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Linux kernel.

=====================================================================
https://github.com/advisories/ghsa-2274-3hgr-wxv6
https://www.openwall.com/lists/oss-security/2026/04/29/23
_____________________________________________________________________


In the Linux kernel, the following vulnerability has been...

High severity Unreviewed Published Apr 22, 2026 to the GitHub
Advisory Database • Updated Apr 30, 2026

Package
No package listed— Suggest a package

Affected versions
Unknown

Patched versions
Unknown

Description

In the Linux kernel, the following vulnerability has been
resolved:

crypto: algif_aead - Revert to operating out-of-place

This mostly reverts commit 72548b093ee3 except for the copying
of the associated data.

There is no benefit in operating in-place in algif_aead since the
source and destination come from different mappings. Get rid of
all the complexity added for in-place operation and just copy
the AD directly.


References

    https://nvd.nist.gov/vuln/detail/CVE-2026-31431
    https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
    https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237
    https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
    https://github.com/theori-io/copy-fail-CVE-2026-31431
    https://copy.fail
    http://www.openwall.com/lists/oss-security/2026/04/29/23
    http://www.openwall.com/lists/oss-security/2026/04/29/25
    http://www.openwall.com/lists/oss-security/2026/04/29/26
    http://www.openwall.com/lists/oss-security/2026/04/30/2
    http://www.openwall.com/lists/oss-security/2026/04/30/5
    http://www.openwall.com/lists/oss-security/2026/04/30/6
    http://www.openwall.com/lists/oss-security/2026/04/30/10
    http://www.openwall.com/lists/oss-security/2026/04/30/11
    https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c
    https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc
    https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667
    https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82
    https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b
    http://www.openwall.com/lists/oss-security/2026/04/30/12

Published by the National Vulnerability Database Apr 22, 2026
Published to the GitHub Advisory Database Apr 22, 2026
Last updated Apr 30, 2026
Severity
High
/ 10
CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS score
(1st percentile)
Weaknesses
Weakness CWE-669
CVE ID
CVE-2026-31431
GHSA ID
GHSA-2274-3hgr-wxv6
Source code
No known source code

Dependabot alerts are not supported on this advisory because it
does not have a package from a supported ecosystem with an
affected and fixed version.

_____________________________________________________________________


Hi,

This is currently making the rounds and looks pretty
severe:

https://copy.fail/

A local privilege escalation vulnerability with a
working PoC python script exploiting a logic flaw in
the kernel crypto API (AF_ALG) affecting most Linux
distributions.

More detailed write-up:
https://xint.io/blog/copy-fail-linux-distributions

"in 2017, an optimization was added to algif_aead.c
[72548b093ee3](https://github.com/torvalds/linux/commit/72548b093ee3)
to perform AEAD operations in-place.  For decryption,
the code copied AAD and ciphertext data from the TX
SGL into the RX buffer, but chained the tag pages by
reference using sg_chain(). It then set req->src =
req->dst. Page cache pages from splice were now in the
writable destination scatterlist.  authencesn's write
at dst[assoclen + cryptlen] now walked into those
chained tag pages, creating this bug."


"During AEAD decryption, _aead_recmsg() moves the
queued tag bytes out of the TX SGL and chains them
onto the RX SGL at algif_aead-C:235-244, then submits
the AEAD request with that same RX SGL head as both
sre and dst at algif aead.C: 251-252. When the tag
bytes originally came from the splice path in
af_alg_sendmsg() (af alg.C: 1049-1064), those tail
entries still reference file page-cache pages. Most
AEAD implementations only read the tag, but
crypto_authenc_es n_decrypt () treats equal sro and
dst as an in-place buffer and writes 4 bytes into the
tag region at authencesn - C:277-279.
The overwrite happens before the tag check that later
returns -EBADMSG at authencesn- C: 222-223, so a
failing decrypt still corrupts the spliced file-backed
page."
[...]
"This gives a local unprivileged attacker a controlled
page-cache write primitive against any readable file.
In the minimal setup above, each request overwrites 4
attacker-chosen bytes at the spliced file offset;
repeated requests can patch multiple offsets. Because
the corruption affects cached file pages rather than a
private copy, it can tamper with read-only or setuid
executable content and may enable local privilege
escalation or code execution until the page is
evicted. Exploitability is narrower than a generic
AEAD bug because it specifically requires an
authencesn decrypt path and splice-backed tag pages,
but it does not require a valid authentication tag.



The kernel code changes:

https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/T/#u

In the Linux kernel, the following vulnerability has
been resolved:

crypto: algif_aead - Revert to operating out-of-place

This mostly reverts commit 72548b093ee3 except for the
copying of the associated data.

There is no benefit in operating in-place in
algif_aead since the source and destination come from
different mappings.  Get rid of all the complexity
added for in-place operation and just copy the AD
directly.

The Linux kernel CVE team has assigned CVE-2026-31431
to this issue.

Affected and fixed versions
===========================

Issue introduced in 4.14 with commit
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and fixed in
6.18.22 with commit
fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8

Issue introduced in 4.14 with commit
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and fixed in
6.19.12 with commit
ce42ee423e58dffa5ec03524054c9d8bfd4f6237

Issue introduced in 4.14 with commit
72548b093ee38a6d4f2a19e6ef1948ae05c181f7 and fixed in
7.0 with commit
a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8
https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237
https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5

----

PoC:
https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py


Mitigation:

# echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# rmmod algif_aead 


-Jan


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================